Electronic Data Interchange (EDI) can be formally defined as 'The transfer of structured data, by agreed message standards, from one computer system to another without human intervention'(Wikipedia, 2007). It represents the application of computer and communications technology to traditional paper-based business processes, supporting innovative changes in those processes. It involves the exchange and transmittal of business documents, such as invoices, purchase orders and shipping notices, in a standard, machine-processable format (CISA, 2008).
EDI is not a new technology. It was first used in transportation and shipping industries in 1970s. However, EDI use has grown significantly in a many business sectors in the past decade. It is not limited to simply sending and receiving various messages but has allowed trading partners to access to each other’s internal records such as sales and inventory information. The use has come into prominence because EDI could provide the following benefits:
• Less paperwork, reduced cost
• Fewer errors during the exchange of information
• Increased speed in information exchange and processing
• Improved trading partner relationships
• Improved intracompany flow of information
On the other hand, although EDI has created a number of changes in the way commerce is conducted and has offered significant opportunities, it also has attracted new threats and potential exposures and increased the seriousness of some existing problems. Some examples of these are described below.
• Absence of Human Intervention: this is often seen as an advantage, since computers can perform repetitive tasks more quickly and consistently than humans. From a security viewpoint, however, the removal of humans from the process also removes a degree of protection, since the computers are incapable of applying curiosity or common sense to instructions (Ian Walden, 1993).
• Paperless Trading: the absence of paper from the electronic trading process carries its own collection of advantages, and corresponding security problems. The absence of hard copy evidence in support of these business transactions has serious implications both from a legal standpoint and from an auditor’s perspective. Audit procedures will have to be established to verify specific transactions contained in electronic media.
• Increased Exposure to Fraud: EDI reduces the segregation of duties and limits the number of personnel involved with individual transactions. Control of internal systems and procedures may be limited to a few people. This increases the risk of unauthorized transactions (Stanley Weiner, 1995).
• Loss of Confidentiality of Sensitive Information: Proprietary information, such as...